Add an AWS Account to Palette

Palette supports integration with Amazon Web Services (AWS) Cloud Accounts, including AWS GovCloud (US) and AWS Secret Cloud (US) accounts. This section explains how to create an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account.

• AWS

  • Static Access Credentials
  • Dynamic Access Credentials
  • EKS Pod Identity

• AWS GovCloud (US)

  • Static Access Credentials
  • Dynamic Access Credentials
  • EKS Pod Identity

• AWS Secret Cloud (SC2S) (US)

  • Static Access Credentials
  • Secure Compliance Validation Credentials
  • EKS Pod Identity

AWS Account

This section provides guidance on creating an AWS account that uses static or dynamic access credentials as well as EKS Pod Identity.

Static Access Credentials

Use the steps below to add an AWS cloud account using static access credentials.

Prerequisites

• A Palette account with tenant admin access.

• An AWS account with an IAM role or IAM user for Palette.

• An AWS account with the required IAM policies assigned to the Palette IAM user or IAM role.

Add AWS Account to Palette

1. Log in to Palette as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard provide the following information:

   • Account Name: Custom name for the cloud account.

   • Description: Optional description for the cloud account.

   • Partition: Choose AWS from the drop-down Menu.

   • Credentials:

     • AWS Access key

     • AWS Secret access key

5. Click the Validate button to validate the credentials.

6. Once the credentials are validated, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on.

7. Use the drop-down Menu, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu and click on Tenant Settings. Next, click on Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

Dynamic Access Credentials

Use the steps below to add an AWS cloud account using Security Token Service (STS) credentials.

Prerequisites

• A Palette account with tenant admin access.

• If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX.

• An AWS account with an IAM role or IAM user for Palette.

• An AWS account with the required IAM policies assigned to the Palette IAM user or IAM role.

Add AWS Account to Palette

1. Log in to Palette as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name: Custom name for the cloud account.
   • Description: Optional description for the cloud account.
   • Select STS authentication for validation.

5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM role for Palette. The following table lists the information provided by the wizard after you select STS.

   Parameter	Description
   Trusted Entity Type	Another AWS account.
   Account ID	Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS.
   Require External ID	Enable.
   External ID	Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant.
   Permissions Policy	Search and select the 4 policies added in step 2.
   Role Name	SpectroCloudRole.

6. In the AWS console, browse to the Role Details page and copy the Amazon Resource Name (ARN) for the role.

7. In Palette, paste the role ARN into the ARN field.

8. Click the Validate button to validate the credentials.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu. Click on Tenant Settings. Next, click on Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

EKS Pod Identity

Palette supports EKS Pod Identity, which allows pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

Limitations

• This authentication option is only available for self-hosted Palette or Palette VerteX instances deployed on Amazon EKS clusters.

• Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.

Prerequisites

• Self-hosted Palette or Palette VerteX deployed on an Amazon EKS cluster with Kubernetes version 1.24 or later.

  • A ConfigMap named palette-global-config must exist in the kube-system namespace with a managementClusterName key set to the EKS management cluster's name where Palette or Palette VerteX is deployed.

    If this key is missing, the fallback mechanism will obtain the cluster's name using IMDS and EC2 tags, but for this to work, the cluster must have only EKS managed node groups with a CNI plugin that does not block IMDS access from pods.

    Click to display kubectl commands to check for and create the ConfigMap

    1. Log in to the Local UI of the leader host of the Palette or Palette VerteX management cluster.

    2. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

    3. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

       export KUBECONFIG=/path/to/downloaded/kubeconfig

    4. Use the following kubectl command to check if the palette-global-config ConfigMap already exists.

       kubectl describe configmap palette-global-config --namespace kube-system

       If the ConfigMap exists, the output will be similar to the following example.

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: palette-global-config
         namespace: kube-system
       data:
         managementClusterName: "palette-eks-management-cluster"

    5. If the ConfigMap does not exist, use the following kubectl command to create it. Replace <eks-management-cluster-name> with the name of your EKS management cluster where Palette or Palette VerteX is deployed.

       kubectl create configmap palette-global-config \
         --from-literal=managementClusterName="<eks-management-cluster-name>" \
         --namespace kube-system

  • The EKS Pod Identity Agent must be enabled on the Amazon EKS cluster. Refer to the Set up the Amazon EKS Pod Identity Agent guide for more information.

• Access to the Amazon EKS cluster's kubeconfig file. You must be able to use kubectl to perform validation steps on the cluster.

• A Palette account with tenant admin access.

• If you need your workload clusters to access AWS resources in the same AWS account as the EKS management cluster, three IAM roles must be created for Palette and two of its services.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example
  Palette	SpectroCloudPaletteRole
  Hubble service	SpectroCloudHubbleRole
  Identity service	SpectroCloudIdentityRole

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role. Create these IAM roles in the same AWS account as the EKS management cluster that hosts Palette or Palette VerteX.

  Palette IAM role

  • The following trust policy must be assigned to the IAM role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM role

  • The following trust policy must be assigned to the IAM role created for the Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Identity service IAM role

  • The following trust policy must be assigned to the IAM role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the identity service.

    • Replace <aws-account-id> with your AWS account ID.
    • Replace <role-name-for-palette-iam-role> with the name of the IAM role created for Palette (for example, SpectroCloudPaletteRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        },
        {
          "Sid": "IAMPassRoleforPodIdentity",
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        }
      ]
    }

• If you need your workload clusters to access AWS resources in different AWS accounts to the one where your EKS management cluster is deployed, cross-account IAM roles must be created for Palette and two of its services. Refer to the Amazon EKS documentation for more details about this requirement.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example	Where to Create Role
  Identity service	SpectroCloudIdentityLocalRole	Same AWS account as EKS management cluster
  Palette	SpectroCloudPaletteTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleLocalRole	Same AWS account as EKS management cluster

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role.

  Identity service IAM local role

  You must create an IAM local role for the Palette identity service in two stages.

  1. Create the IAM local role with the trust policy outlined in this tab.
  2. After creation, assign the permissions policy outlined in this tab to the IAM local role.

  
  

  info

  These stages are required as the IAM local role ARN for the Palette identity service must be self-referenced in its own permissions policy. If the role is not created first, AWS will not be able to validate the policy.

  • The following trust policy must be assigned to the IAM local role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for the identity service.

    • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
    • Replace <role-name-for-palette-iam-local-role> with the name of the IAM role created for Palette in the target AWS account (for example, SpectroCloudPaletteTargetRole).
    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of this IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [
            "arn:aws:iam::<target-aws-account-id>:role/<role-name-for-palette-iam-local-role>",
            "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          ]
        }
      ]
    }

  Palette IAM target role

  • The following trust policy must be assigned to the IAM target role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <aws-management-cluster-region> with the AWS region where the EKS management cluster is deployed.
    • Replace <management-cluster-name> with the name of the EKS management cluster.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of the IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/palette-identity/palette-identity"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/*/palette-manager"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:TagSession"
        },
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM target role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM target role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM target role

  • The following trust policy must be assigned to the IAM target role created for the Hubble service. Replace the following templated values with your own values.

    • <aws-management-cluster-account-id>: The AWS account ID where the EKS management cluster is deployed.
    • <aws-management-cluster-region>: The AWS region where the EKS management cluster is deployed.
    • <management-cluster-name>: The name of the EKS management cluster.
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/hubble-system/spectro-hubble"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:TagSession"
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM target role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM local role

  • The following trust policy must be assigned to the IAM local role created for Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for Hubble service.

    • Replace the <target-aws-account-id> placeholder with the AWS account ID where the workload cluster resources are located.
    • Replace the <hubble-service-iam-target-role> placeholder with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).
    
    

    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role>"
      ],
      "Sid": "IAM"
    }

• The IAM roles created for the Palette Hubble service and Palette identity service must have pod identity associations with the following Kubernetes service accounts. This is not required for the IAM role created for Palette itself.

  Palette Service	Kubernetes Namespace	Kubernetes Service Account
  Hubble	hubble-system	spectro-hubble
  Identity service	palette-identity	palette-identity

  Click to display example AWS CLI commands to create pod identity associations

  Use the commands in the appropriate tab below depending on whether your workload clusters need to access AWS resources in the same AWS account as the EKS management cluster, or in different AWS accounts.

  Same AWS Account

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <hubble-service-iam-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-account-id>:role/<hubble-service-iam-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <identity-service-iam-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-account-id>:role/<identity-service-iam-role-name>

  Different AWS Accounts

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <hubble-service-iam-local-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleLocalRole).
  • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
  • Replace <hubble-service-iam-target-role-name> with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<hubble-service-iam-local-role-name>
  --target-role-arn arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <identity-service-iam-local-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityLocalRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<identity-service-iam-local-role-name>

Enablement

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name: Custom name for the cloud account.
   • Description: Optional description for the cloud account.
   • Partition: AWS
   • Select EKS Pod Identity authentication for validation.

5. In the AWS console, browse to the Role Details page for the IAM role created for Palette (for example, SpectroCloudRole) and copy the Amazon Resource Name (ARN).

6. In Palette, paste the role ARN into the ARN field.

7. Click the Validate button to validate the credentials.

   The Add IAM Policies option appears after successful validation. You can leave this blank for the purposes of EKS Pod Identity enablement, as the required IAM policies should have already been assigned to the IAM role created for Palette (for example, SpectroCloudRole).

8. (Optional) To set a permission boundary, click the Add Permission Boundary toggle and provide the ARN of a IAM policy or role in the Permission Boundary ARN field.

9. Click Confirm to create your AWS account.

Validate

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left main menu, click on Tenant Settings.

3. Ensure Cloud Accounts is selected. Your newly added AWS cloud account is listed under the AWS section.

4. Open a terminal session and ensure you have access to the kubeconfig file for the Amazon EKS cluster where Palette or Palette VerteX is deployed. Set the KUBECONFIG environment variable to point to the file.

   export KUBECONFIG=/path/to/kubeconfig/file

5. Issue the following kubectl commands to verify that EKS Pod Identity has set the required environment variables for the spectro-hubble and palette-identity pods.

   kubectl get pods --namespace hubble-system --selector app=spectro-hubble -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   kubectl get pods --namespace palette-identity --selector app=palette-identity -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   The output from both commands should include the following environment variables indicating that Amazon EKS has injected the necessary configuration for EKS Pod Identity.

   AWS_CONTAINER_CREDENTIALS_FULL_URI
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

AWS GovCloud Account (US)

Palette supports integration with AWS GovCloud (US). Using Palette, you can deploy Kubernetes clusters to your AWS GovCloud account. This section provides guidance on creating an AWS GovCloud account that uses static or dynamic access credentials as well as EKS Pod Identity.

Static Access Credentials

Use the steps below to add an AWS cloud account using static access credentials.

Prerequisites

• A Palette account with tenant admin access.

• An AWS account with an IAM role or IAM user for Palette.

• An AWS account with the required IAM policies assigned to the Palette IAM user or IAM role.

Add AWS GovCloud Account to Palette

1. Log in to Palette as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard provide the following information:

   • Account Name: Custom name for the cloud account.

   • Description: Optional description for the cloud account.

   • Partition: Choose AWS US Gov from the drop-down Menu.

   • Credentials:

     • AWS Access key
     • AWS Secret access key

5. Click the Validate button to validate the credentials.

6. Once the credentials are validated, verified by a green check mark, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on.

7. Use the drop-down Menu, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu. Click on Tenant Settings. Next, click Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

Dynamic Access Credentials

Use the steps below to add an AWS cloud account using STS credentials.

Prerequisites

• A Palette account with tenant admin access.

• If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX.

• An AWS account with an IAM role or IAM user for Palette.

• An AWS account with the required IAM policies assigned to the Palette IAM user or IAM role.

Add AWS GovCloud Account to Palette

1. Log in to Palette as Tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name
   • Description
   • Select STS authentication for validation.

5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select STS.

   Parameter	Description
   Trusted Entity Type	Another AWS account.
   Account ID	Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS.
   Require External ID	Enable.
   External ID	Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant.
   Permissions Policy	Search and select the 4 policies added in step #2.
   Role Name	SpectroCloudRole.

6. In the AWS console, browse to the Role Details page and copy the ARN for the role.

7. In Palette, paste the role ARN into the ARN input box.

8. Click the Validate button to validate the credentials.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu. Click on Tenant Settings. Next, click on Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

EKS Pod Identity

Palette supports EKS Pod Identity, which allows pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

Limitations

• This authentication option is only available for self-hosted Palette or Palette VerteX instances deployed on Amazon EKS clusters.

• Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.

Prerequisites

• Self-hosted Palette or Palette VerteX deployed on an Amazon EKS cluster with Kubernetes version 1.24 or later.

  • A ConfigMap named palette-global-config must exist in the kube-system namespace with a managementClusterName key set to the EKS management cluster's name where Palette or Palette VerteX is deployed.

    If this key is missing, the fallback mechanism will obtain the cluster's name using IMDS and EC2 tags, but for this to work, the cluster must have only EKS managed node groups with a CNI plugin that does not block IMDS access from pods.

    Click to display kubectl commands to check for and create the ConfigMap

    1. Log in to the Local UI of the leader host of the Palette or Palette VerteX management cluster.

    2. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

    3. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

       export KUBECONFIG=/path/to/downloaded/kubeconfig

    4. Use the following kubectl command to check if the palette-global-config ConfigMap already exists.

       kubectl describe configmap palette-global-config --namespace kube-system

       If the ConfigMap exists, the output will be similar to the following example.

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: palette-global-config
         namespace: kube-system
       data:
         managementClusterName: "palette-eks-management-cluster"

    5. If the ConfigMap does not exist, use the following kubectl command to create it. Replace <eks-management-cluster-name> with the name of your EKS management cluster where Palette or Palette VerteX is deployed.

       kubectl create configmap palette-global-config \
         --from-literal=managementClusterName="<eks-management-cluster-name>" \
         --namespace kube-system

  • The EKS Pod Identity Agent must be enabled on the Amazon EKS cluster. Refer to the Set up the Amazon EKS Pod Identity Agent guide for more information.

• Access to the Amazon EKS cluster's kubeconfig file. You must be able to use kubectl to perform validation steps on the cluster.

• A Palette account with tenant admin access.

• If you need your workload clusters to access AWS resources in the same AWS account as the EKS management cluster, three IAM roles must be created for Palette and two of its services.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example
  Palette	SpectroCloudPaletteRole
  Hubble service	SpectroCloudHubbleRole
  Identity service	SpectroCloudIdentityRole

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role. Create these IAM roles in the same AWS account as the EKS management cluster that hosts Palette or Palette VerteX.

  Palette IAM role

  • The following trust policy must be assigned to the IAM role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM role

  • The following trust policy must be assigned to the IAM role created for the Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Identity service IAM role

  • The following trust policy must be assigned to the IAM role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the identity service.

    • Replace <aws-account-id> with your AWS account ID.
    • Replace <role-name-for-palette-iam-role> with the name of the IAM role created for Palette (for example, SpectroCloudPaletteRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        },
        {
          "Sid": "IAMPassRoleforPodIdentity",
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        }
      ]
    }

• If you need your workload clusters to access AWS resources in different AWS accounts to the one where your EKS management cluster is deployed, cross-account IAM roles must be created for Palette and two of its services. Refer to the Amazon EKS documentation for more details about this requirement.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example	Where to Create Role
  Identity service	SpectroCloudIdentityLocalRole	Same AWS account as EKS management cluster
  Palette	SpectroCloudPaletteTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleLocalRole	Same AWS account as EKS management cluster

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role.

  Identity service IAM local role

  You must create an IAM local role for the Palette identity service in two stages.

  1. Create the IAM local role with the trust policy outlined in this tab.
  2. After creation, assign the permissions policy outlined in this tab to the IAM local role.

  
  

  info

  These stages are required as the IAM local role ARN for the Palette identity service must be self-referenced in its own permissions policy. If the role is not created first, AWS will not be able to validate the policy.

  • The following trust policy must be assigned to the IAM local role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for the identity service.

    • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
    • Replace <role-name-for-palette-iam-local-role> with the name of the IAM role created for Palette in the target AWS account (for example, SpectroCloudPaletteTargetRole).
    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of this IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [
            "arn:aws:iam::<target-aws-account-id>:role/<role-name-for-palette-iam-local-role>",
            "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          ]
        }
      ]
    }

  Palette IAM target role

  • The following trust policy must be assigned to the IAM target role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <aws-management-cluster-region> with the AWS region where the EKS management cluster is deployed.
    • Replace <management-cluster-name> with the name of the EKS management cluster.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of the IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/palette-identity/palette-identity"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/*/palette-manager"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:TagSession"
        },
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM target role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM target role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM target role

  • The following trust policy must be assigned to the IAM target role created for the Hubble service. Replace the following templated values with your own values.

    • <aws-management-cluster-account-id>: The AWS account ID where the EKS management cluster is deployed.
    • <aws-management-cluster-region>: The AWS region where the EKS management cluster is deployed.
    • <management-cluster-name>: The name of the EKS management cluster.
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/hubble-system/spectro-hubble"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:TagSession"
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM target role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM local role

  • The following trust policy must be assigned to the IAM local role created for Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for Hubble service.

    • Replace the <target-aws-account-id> placeholder with the AWS account ID where the workload cluster resources are located.
    • Replace the <hubble-service-iam-target-role> placeholder with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).
    
    

    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role>"
      ],
      "Sid": "IAM"
    }

• The IAM roles created for the Palette Hubble service and Palette identity service must have pod identity associations with the following Kubernetes service accounts. This is not required for the IAM role created for Palette itself.

  Palette Service	Kubernetes Namespace	Kubernetes Service Account
  Hubble	hubble-system	spectro-hubble
  Identity service	palette-identity	palette-identity

  Click to display example AWS CLI commands to create pod identity associations

  Use the commands in the appropriate tab below depending on whether your workload clusters need to access AWS resources in the same AWS account as the EKS management cluster, or in different AWS accounts.

  Same AWS Account

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <hubble-service-iam-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-account-id>:role/<hubble-service-iam-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <identity-service-iam-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-account-id>:role/<identity-service-iam-role-name>

  Different AWS Accounts

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <hubble-service-iam-local-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleLocalRole).
  • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
  • Replace <hubble-service-iam-target-role-name> with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<hubble-service-iam-local-role-name>
  --target-role-arn arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <identity-service-iam-local-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityLocalRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<identity-service-iam-local-role-name>

Enablement

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name: Custom name for the cloud account.
   • Description: Optional description for the cloud account.
   • Partition: AWS US Gov
   • Select EKS Pod Identity authentication for validation.

5. In the AWS console, browse to the Role Details page for the IAM role created for Palette (for example, SpectroCloudRole) and copy the Amazon Resource Name (ARN).

6. In Palette, paste the role ARN into the ARN field.

7. Click the Validate button to validate the credentials.

   The Add IAM Policies option appears after successful validation. You can leave this blank for the purposes of EKS Pod Identity enablement, as the required IAM policies should have already been assigned to the IAM role created for Palette (for example, SpectroCloudRole).

8. (Optional) To set a permission boundary, click the Add Permission Boundary toggle and provide the ARN of a IAM policy or role in the Permission Boundary ARN field.

9. Click Confirm to create your AWS account.

Validate

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left main menu, click on Tenant Settings.

3. Ensure Cloud Accounts is selected. Your newly added AWS cloud account is listed under the AWS section.

4. Open a terminal session and ensure you have access to the kubeconfig file for the Amazon EKS cluster where Palette or Palette VerteX is deployed. Set the KUBECONFIG environment variable to point to the file.

   export KUBECONFIG=/path/to/kubeconfig/file

5. Issue the following kubectl commands to verify that EKS Pod Identity has set the required environment variables for the spectro-hubble and palette-identity pods.

   kubectl get pods --namespace hubble-system --selector app=spectro-hubble -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   kubectl get pods --namespace palette-identity --selector app=palette-identity -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   The output from both commands should include the following environment variables indicating that Amazon EKS has injected the necessary configuration for EKS Pod Identity.

   AWS_CONTAINER_CREDENTIALS_FULL_URI
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

AWS Secret Cloud Account (US)

You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials), secure compliance validation using your SC2S Access Portal (SCAP) credentials, or EKS Pod Identity to register your AWS Secret Cloud account in Palette VerteX.

tech preview

This is a Tech Preview feature and is subject to change. Do not use this feature in production workloads.

Limitations

• Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads deployed in the cluster should use Linux-based container images to ensure compatibility with the node operating system.

• User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for Transport Layer Security (TLS) communication may fail to establish secure connections, and integrations with external services that require custom CAs may encounter Secure Socket Layer (SSL) or TLS verification issues.

  • Workloads requiring custom CAs for internal trust validation must use an alternative configuration, such as using a sidecar container to provide the CA certificate at runtime or embedding the CA certificate within the application. For guidance on embedding certificates within applications, refer to the official Kubernetes documentation on using Secrets as files from a Pod and creating pods that access Secret data through a Volume.

Prerequisites

• Palette VerteX installed and tenant admin access.

• The AwsSecretPartition feature flag enabled in the Palette VerteX system console.

• An AWS account with an IAM role or IAM user for Palette VerteX.

• An AWS account with the required IAM policies assigned to the Palette VerteX IAM user or IAM role.

• A secure connection to your AWS Secret Cloud account, such as via a Private Cloud Gateway (PCG), Wide Area Network tunnel, or AWS Private Link.

Static Access Credentials

Use the steps below to add an AWS Secret Cloud account using static access credentials.

Add AWS Secret Cloud to Palette VerteX

1. Log in to Palette VerteX as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard provide the following information:

   • Account Name: Custom name for the cloud account.

   • Description: Optional description for the cloud account.

   • Partition: Choose AWS US Secret from the drop-down Menu.

   • Credentials:

     • AWS Access key
     • AWS Secret access key

   • Certificate Authority: Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate.

5. Click the Validate button to validate the credentials.

6. Once the credentials are validated, verified by a green check mark, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on.

7. Use the drop-down Menu, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user.

8. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle Connect Private Cloud Gateway on, and select a Private Cloud Gateway from the list. This list is populated automatically with the Private Cloud Gateways listed in Tenant Settings. For more information, refer to the Private Cloud Gateway page.

9. Click Confirm to create your AWS Secret Cloud account.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu. Click on Tenant Settings. Next, click Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

Secure Compliance Validation Credentials

Use the steps below to add an AWS Secret Cloud account using SCAP secure compliance validation credentials.

Add AWS Secret Cloud to Palette VerteX

1. Log in to Palette VerteX as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name: Custom name for the cloud account.

   • Description: Optional description for the cloud account.

   • Partition: Choose AWS US Secret from the drop-down Menu.

5. Toggle on Secure Compliance Validation and enter the following information.

   Parameter	Description
   Agency Name	Enter the SCAP agency name.
   Account Name	Enter the SCAP account name or number.
   CAP/SCAP Role Name	Enter the role name provided by the SCAP administrator. This role determines the AWS permissions granted to the account.
   Role Prefix (Optional)	Choose a prefix to standardize role names. If no prefix is provided, a default prefix of PROJECT_ is used. For example, if the initial role name is DevOpsRole, the full role name would be PROJECT_DevOpsRole.
   Permission Boundary (Optional)	If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy). Refer to the AWS Permissions boundaries for IAM entities page for additional information on permission boundaries.
   Certificate Authority	Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate.
   User Certificate	Paste your user-issued digital certificate in PEM-encoded format.
   User Key	Provide the private cryptographic key associated with the user certificate in PEM-encoded format.

   Palette provides default values for CAP/SCAP endpoints. Users can change these configurations on their self-hosted Palette or Palette VerteX installations.

   Click here to learn how to provide custom CAP/SCAP endpoints.

   1. Open a terminal window on a host that can connect to the Palette or Palette VerteX management cluster. Additionally, ensure that kubectl is installed on this host.

   2. Download the Kubeconfig file of the cluster..

   3. Open a terminal window and set the environment variable KUBECONFIG to point to the file you downloaded.

      export KUBECONFIG=<path-to-downloaded-kubeconfig-file>

   4. If you are using AWS Secret cloud accounts, use the following command to set a custom endpoint. Replace the <customized-endpoint-url> placeholder with your own value.

      kubectl --namespace hubble-system set env deployment/cloud CUSTOM_ISO_URL="<customized-endpoint-url>"

      If you are using AWS Top Secret cloud accounts, use the following command to set a custom endpoint. Replace the <customized-endpoint-url> placeholder with your own value.

      kubectl --namespace hubble-system set env deployment/cloud CUSTOM_ISOB_URL="<customized-endpoint-url>"

   5. Verify that the change has been applied with the following command.

      kubectl --namespace hubble-system get deploy cloud --output jsonpath='{.spec.template.spec.containers[*].env}'
      Example output

      [{"name":"CUSTOM_ISO_URL","value":"<customized-endpoint-url>"}]

6. Click the Validate button to validate the credentials.

7. Once the credentials are validated, verified by a green check mark, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on.

8. Use the drop-down Menu, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user.

9. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle Connect Private Cloud Gateway on, and select a Private Cloud Gateway from the list. This list is populated automatically with the Private Cloud Gateways listed in Tenant Settings. For more information, refer to the Private Cloud Gateway page.

10. Click Confirm to create your AWS Secret Cloud account.

Validate

You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left Main Menu. Click on Tenant Settings. Next, click Cloud Accounts. Your newly added AWS cloud account is listed under the AWS section.

EKS Pod Identity

Palette supports EKS Pod Identity, which allows pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

Limitations

• This authentication option is only available for self-hosted Palette or Palette VerteX instances deployed on Amazon EKS clusters.

• Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.

Prerequisites

• Self-hosted Palette or Palette VerteX deployed on an Amazon EKS cluster with Kubernetes version 1.24 or later.

  • A ConfigMap named palette-global-config must exist in the kube-system namespace with a managementClusterName key set to the EKS management cluster's name where Palette or Palette VerteX is deployed.

    If this key is missing, the fallback mechanism will obtain the cluster's name using IMDS and EC2 tags, but for this to work, the cluster must have only EKS managed node groups with a CNI plugin that does not block IMDS access from pods.

    Click to display kubectl commands to check for and create the ConfigMap

    1. Log in to the Local UI of the leader host of the Palette or Palette VerteX management cluster.

    2. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

    3. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

       export KUBECONFIG=/path/to/downloaded/kubeconfig

    4. Use the following kubectl command to check if the palette-global-config ConfigMap already exists.

       kubectl describe configmap palette-global-config --namespace kube-system

       If the ConfigMap exists, the output will be similar to the following example.

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: palette-global-config
         namespace: kube-system
       data:
         managementClusterName: "palette-eks-management-cluster"

    5. If the ConfigMap does not exist, use the following kubectl command to create it. Replace <eks-management-cluster-name> with the name of your EKS management cluster where Palette or Palette VerteX is deployed.

       kubectl create configmap palette-global-config \
         --from-literal=managementClusterName="<eks-management-cluster-name>" \
         --namespace kube-system

  • The EKS Pod Identity Agent must be enabled on the Amazon EKS cluster. Refer to the Set up the Amazon EKS Pod Identity Agent guide for more information.

• Access to the Amazon EKS cluster's kubeconfig file. You must be able to use kubectl to perform validation steps on the cluster.

• A Palette account with tenant admin access.

• If you need your workload clusters to access AWS resources in the same AWS account as the EKS management cluster, three IAM roles must be created for Palette and two of its services.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example
  Palette	SpectroCloudPaletteRole
  Hubble service	SpectroCloudHubbleRole
  Identity service	SpectroCloudIdentityRole

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role. Create these IAM roles in the same AWS account as the EKS management cluster that hosts Palette or Palette VerteX.

  Palette IAM role

  • The following trust policy must be assigned to the IAM role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM role

  • The following trust policy must be assigned to the IAM role created for the Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Identity service IAM role

  • The following trust policy must be assigned to the IAM role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the identity service.

    • Replace <aws-account-id> with your AWS account ID.
    • Replace <role-name-for-palette-iam-role> with the name of the IAM role created for Palette (for example, SpectroCloudPaletteRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        },
        {
          "Sid": "IAMPassRoleforPodIdentity",
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        }
      ]
    }

• If you need your workload clusters to access AWS resources in different AWS accounts to the one where your EKS management cluster is deployed, cross-account IAM roles must be created for Palette and two of its services. Refer to the Amazon EKS documentation for more details about this requirement.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example	Where to Create Role
  Identity service	SpectroCloudIdentityLocalRole	Same AWS account as EKS management cluster
  Palette	SpectroCloudPaletteTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleLocalRole	Same AWS account as EKS management cluster

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role.

  Identity service IAM local role

  You must create an IAM local role for the Palette identity service in two stages.

  1. Create the IAM local role with the trust policy outlined in this tab.
  2. After creation, assign the permissions policy outlined in this tab to the IAM local role.

  
  

  info

  These stages are required as the IAM local role ARN for the Palette identity service must be self-referenced in its own permissions policy. If the role is not created first, AWS will not be able to validate the policy.

  • The following trust policy must be assigned to the IAM local role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for the identity service.

    • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
    • Replace <role-name-for-palette-iam-local-role> with the name of the IAM role created for Palette in the target AWS account (for example, SpectroCloudPaletteTargetRole).
    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of this IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [
            "arn:aws:iam::<target-aws-account-id>:role/<role-name-for-palette-iam-local-role>",
            "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          ]
        }
      ]
    }

  Palette IAM target role

  • The following trust policy must be assigned to the IAM target role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <aws-management-cluster-region> with the AWS region where the EKS management cluster is deployed.
    • Replace <management-cluster-name> with the name of the EKS management cluster.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of the IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/palette-identity/palette-identity"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/*/palette-manager"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:TagSession"
        },
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM target role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM target role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM target role

  • The following trust policy must be assigned to the IAM target role created for the Hubble service. Replace the following templated values with your own values.

    • <aws-management-cluster-account-id>: The AWS account ID where the EKS management cluster is deployed.
    • <aws-management-cluster-region>: The AWS region where the EKS management cluster is deployed.
    • <management-cluster-name>: The name of the EKS management cluster.
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/hubble-system/spectro-hubble"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:TagSession"
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM target role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM local role

  • The following trust policy must be assigned to the IAM local role created for Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for Hubble service.

    • Replace the <target-aws-account-id> placeholder with the AWS account ID where the workload cluster resources are located.
    • Replace the <hubble-service-iam-target-role> placeholder with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).
    
    

    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role>"
      ],
      "Sid": "IAM"
    }

• The IAM roles created for the Palette Hubble service and Palette identity service must have pod identity associations with the following Kubernetes service accounts. This is not required for the IAM role created for Palette itself.

  Palette Service	Kubernetes Namespace	Kubernetes Service Account
  Hubble	hubble-system	spectro-hubble
  Identity service	palette-identity	palette-identity

  Click to display example AWS CLI commands to create pod identity associations

  Use the commands in the appropriate tab below depending on whether your workload clusters need to access AWS resources in the same AWS account as the EKS management cluster, or in different AWS accounts.

  Same AWS Account

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <hubble-service-iam-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-account-id>:role/<hubble-service-iam-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <identity-service-iam-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-account-id>:role/<identity-service-iam-role-name>

  Different AWS Accounts

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <hubble-service-iam-local-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleLocalRole).
  • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
  • Replace <hubble-service-iam-target-role-name> with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<hubble-service-iam-local-role-name>
  --target-role-arn arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <identity-service-iam-local-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityLocalRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<identity-service-iam-local-role-name>

Enablement

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left Main Menu, click on Tenant Settings.

3. Select Cloud Accounts, and click Add AWS Account.

4. In the cloud account creation wizard, enter the following information:

   • Account Name: Custom name for the cloud account.
   • Description: Optional description for the cloud account.
   • Partition: AWS US Secret
   • Select EKS Pod Identity authentication for validation.

5. In the AWS console, browse to the Role Details page for the IAM role created for Palette (for example, SpectroCloudRole) and copy the Amazon Resource Name (ARN).

6. In Palette, paste the role ARN into the ARN field.

7. Click the Validate button to validate the credentials.

   The Add IAM Policies option appears after successful validation. You can leave this blank for the purposes of EKS Pod Identity enablement, as the required IAM policies should have already been assigned to the IAM role created for Palette (for example, SpectroCloudRole).

8. (Optional) To set a permission boundary, click the Add Permission Boundary toggle and provide the ARN of a IAM policy or role in the Permission Boundary ARN field.

9. Click Confirm to create your AWS account.

Validate

1. Log in to Palette or Palette VerteX as tenant admin.

2. From the left main menu, click on Tenant Settings.

3. Ensure Cloud Accounts is selected. Your newly added AWS cloud account is listed under the AWS section.

4. Open a terminal session and ensure you have access to the kubeconfig file for the Amazon EKS cluster where Palette or Palette VerteX is deployed. Set the KUBECONFIG environment variable to point to the file.

   export KUBECONFIG=/path/to/kubeconfig/file

5. Issue the following kubectl commands to verify that EKS Pod Identity has set the required environment variables for the spectro-hubble and palette-identity pods.

   kubectl get pods --namespace hubble-system --selector app=spectro-hubble -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   kubectl get pods --namespace palette-identity --selector app=palette-identity -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   The output from both commands should include the following environment variables indicating that Amazon EKS has injected the necessary configuration for EKS Pod Identity.

   AWS_CONTAINER_CREDENTIALS_FULL_URI
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

Next Steps

Now that you have added an AWS account to Palette, you can start deploying Kubernetes clusters to your AWS account. To learn how to get started with deploying Kubernetes clusters to AWS, check out the following guides:

• Create and Manage AWS IaaS Cluster
• Create and Manage AWS EKS Cluster
• EKS Hybrid Nodes